Skillv1.1.0

ClawScan security

Prediction Stack Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 3:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (an orchestrator that validates and executes Kalshi trades) is plausible, but the instructions and included files ask the agent to read local configs, probe processes, and call services (Claude, Kalshi SDK) while declaring no credentials or config paths and contain a prompt-injection pattern—these mismatches are unexplained and warrant caution.
Guidance: Do not install or run this skill in a sensitive environment without clarification. Before proceeding, ask the publisher to: (1) explicitly list required environment variables (Kalshi API key, model API key/credentials, any DB or secrets) and explain why each is needed; (2) justify why the skill needs to read prompt-lab/home files and provide a minimal, documented config surface; (3) remove or explain any system-prompt override text in SKILL.md; (4) explain the monitor/server.py behavior and whether you should run it (it probes processes, reads local files, and serves them via an open HTTP API). If you must test, run it in an isolated sandbox or VM, audit server.py and SKILL.md fully, and never supply broad credentials to an untrusted or opaque skill.
Findings: [system-prompt-override] unexpected: SKILL.md contains a prompt-injection/system-prompt-override pattern. This is not an expected artifact for a trading orchestrator and may indicate attempts to change agent/system prompts or behavior. Treat as suspicious; ask the author which parts of the SKILL.md are intended as agent instructions versus meta-level prompt modifications.

Review Dimensions

Purpose & Capability: concernThe skill claims to orchestrate Kalshi trading (needs model access, Kalshi SDK, and API keys) but the registry metadata declares no required environment variables, no config paths, and no primary credential. The SKILL.md and included files explicitly reference Claude Opus, Kalshi SDK execution, Kelly sizing, and reading prompt-lab files (ensemble_weights.json, kelly_config.json, market_filter.json). Requiring access to local prompt-lab data and trading APIs is consistent with the feature, but failing to declare those credentials/config paths is a mismatch and reduces transparency.
Instruction Scope: concernSKILL.md instructs the agent to orchestrate markets, validate model outputs, manage retries, and execute trades, and it references reading local config/state (prompt-lab, home files, retry history). The pre-scan flagged a 'system-prompt-override' pattern in SKILL.md, which suggests the skill may try to manipulate agent/system prompts. The instructions (and the included server.py) also direct the code to inspect running processes (ps/pgrep) and read various files in PROMPT_LAB or the user's home directory—actions that reach beyond pure orchestration and could access sensitive local state.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces automatic disk writes and privileged installs. However, the bundle includes a monitor web UI and monitor/server.py that, if executed by the user or agent, will read local files and probe system processes and serve them over HTTP (CORS-enabled). Absence of an install step means nothing is auto-installed, but the provided code could be run manually and would then perform system introspection.
Credentials: concernThe skill does not declare any required credentials but plainly requires/assumes access to external APIs and local configs: Claude model access (Claude Opus), Kalshi SDK/API credentials to place trades, and local prompt-lab files (eval results, ensemble weights, kelly configs). The lack of declared env vars like KALSHI_API_KEY or MODEL_API_KEY is disproportionate and obscures what secrets the skill will need or attempt to read. Additionally, server.py reads files under the user's home and PROMPT_LAB and exposes them via an HTTP API, which could expose sensitive data if run.
Persistence & Privilege: notealways is false and the skill is user-invocable (normal). The skill does not request persistent 'always' inclusion. However, the included monitor/server.py exposes system/process/config information via an HTTP JSON API (with Access-Control-Allow-Origin: *). If a user runs this server on a host containing secrets, it could leak them to local network clients. The skill does not attempt to modify other skills' configs in the files reviewed.